Inline style-attributes break safe CSP

[fvdm]

I use the 'CSP Friendly Security' plugin to apply strict Content-Security-Policy rules with generated nonces on inline script/style tags. After a few policy tweaks in that plugin it works great, except for Code Block Pro because the formatting is rendered inside the style= attributes of the divs. It is not possible to nonce attributes, so for security the code styling is not being applied in the browser.

Is it possible to rewrite the HTML generator to use <style> blocks instead of style= attributes?

Then the CSP plugin (and similar) will add a nonce attribute to the block and include those in the policy.

Better would be to use global styles (#333) but that seems to be a lot more work.